Sr. Associate, Cyber Risk
Information Risk Management is a 2nd Line oversight function. At Santander, the Information Risk Management (IRM) team engages in key projects and business/technology initiatives, works with the 1st and 3rd Lines to drive a business aligned, risk-based, cost-effective program designed for the confidentiality, integrity and availability of information, information systems (technology infrastructure, application systems and end-user technology) and information resources in support of business products and processes.
Mutual commitment and shared interests are critical to our success. We value motivated self-starters, diverse perspectives, integrity, adaptability and excellence. We seek capable, experienced, qualified and motivated individuals who seek to advance their own professional goals, by working with us to serve the best interests of our team, the firm and, our customers.
Santander is looking to hire a Senior Associate, Information Risk Management to join our Information Risk Management team. We are looking for an experienced candidate with an Information Technology risk or audit background and experience in developing and managing information technology, information security or similarly complex programs in the Financial Services industry.
The Senior Associate, Information Risk Management is a member of the IRM team and accountable for advancing and delivering the governance, risk, compliance and oversight program. A key contributor to the design, implementation and delivery of the IRM Program, the Associate, Information Risk Management will drive key initiatives, execute risk-based practices and deliver commercially relevant outcomes necessary to foster our shared success.
The candidate will be part of the 2nd line of defense Information Risk Management team responsible for defining risk frameworks and policy, and providing oversight, review and credible challenge of risk management activities owned and managed by the 1st line of defense. This role will report to [Director / Senior Manager] of Information Risk Management.
The individual will partner with stakeholders across all lines of defense, all business lines and support functions, including IT, IS, Risk, Compliance, Legal, Audit, Human Resources and Finance, to support the identification, assessment, management and reporting of information risks. The individual will work in concert with the operational risk management team, including the vendor risk management and business continuity management teams, to ensure close coordination, integration, transparency and awareness of information risks across all risk management programs.
- Provides 2nd Line risk oversight of the Information Risk Management Program; additionally provides 2nd Line support for the Information Technology, Information Security, Business Continuity Management and Records Management Programs, including policies/standards/procedures, strategies, material risks, risk reporting routines and metrics.
- Oversight focus primarily on 1st line maintenance of an effective Enterprise Governance Risk and Compliance (GRC) program and facilitate the identification of risks, ensuring proper mechanisms are in place to manage the identified risks
- Credible review and challenge of 1st Line Risk and Control Self-Assessments, including process mapping, identification and assessment of risk, identification of controls, and assessments of control design and effectiveness.
- Assess security controls based on cybersecurity principles and tenets. (e.g., CIS CSC, NIST SP 800-53, Cybersecurity Framework, etc.).Evaluate information for reliability, validity, and relevance.
- Evaluate multiple data sources to conduct trend analysis to identify key risk themes.
- Perform impact and risk assessments for quantitative and qualitative risk management.
- Analyze and assess internal and external partner cyber operations capabilities and tools.
- Supports teams independent risk assessments of information risk management related disciplines.
- 7-10+ years’ experience working within a GRC, internal technology audit, information security, or risk management function.
- Experience in Banking / Financial Services.
- Bachelor’s degree in the field of IT, Information Security or related field.
- Motivated self-starter with positive energy, integrity and high professional standards.
- Detail oriented with the ability to understand high-level strategy.
- Ability to use critical thinking to analyze organizational patterns and relationships.
- Ability to communicate information in a clear, concise manner to all management levels.
- Ability to anticipate key target or threat activities which are likely to prompt a leadership decision.
- Ability to work well both independently and collaboratively as a member of the team.
- Excellent ability to multitask and prioritize effectively with minimal supervision
- Risk Management Knowledge: Risk Identification, Risk Assessment, Risk Treatment Measures including Risk Acceptance, Governance including Measuring/Monitoring/Reporting, Risk Aggregation, Control Assessments & Controls Testing, etc.
- Information Technology Related Knowledge: Asset management, change management, incident/problem management, patch management, Software Development Life-Cycle (SDLC), release management, capacity/performance management, data/records management and destruction, backup and recovery, etc.
- Information Security Related Knowledge: Identity and access management, privileged access management, generic ID management, threat intelligence, vulnerability management, secure coding practices, FFIEC Cyber Assessment Tool (CAT), data security and encryption, phishing, forensics, mobile security, third-party vendors, etc.
- Business Continuity Management including Business Impact Analysis and Disaster Recovery Planning.
- Technical skills and capabilities with minimal requirement of general understanding: Microsoft Windows, Red Hat Linux, IBM AIX, IBM Mainframe/Midrange, VMWare ESXi, LAN/WAN/MAN Networking, Firewall Technologies, Intrusion Detection/Prevention Systems (IDP/IPS), Security Information and Event Management (SIEM), Cloud Computing, Governance Risk and Compliance (GRC) Tools, Web Proxies, SQL/Oracle/DB2 Database Technologies, Data Leakage Protection (DLP), Storage Area Networks (SAN) and Network Attached Storage (NAS), Email Systems, End-User Computing, Web Servers, Middleware Technologies, Microsoft SharePoint.
- Regulatory Knowledge: Gramm-Leach Bliley Act (GLBA), Sarbanes-Oxley (SOX), OCC Heightened Standards, FFIEC Guidelines, HIPAA, NYDFS, GDPR.
- Knowledge of Industry-Standard Frameworks: NIST Cybersecurity Framework, SAN/CIS Critical Security Controls, ISO 9001/20000/22301/27001/31000, ISACA COBIT, COSO 2013.
- Boston, MA or Holmdel, NJ (travel between offices will be required).
- Reports to [Director / Senior Manager] of Information Risk Management.
- Extended hours may be required as dictated by management and business needs.
- Travel to multiple facilities may be required (total travel <20%).
- May be required to lift, push, or pull materials weighing up to twenty (20) pounds.
- May be required to sit and review information on a computer screen for extended periods of time.
- May require repetitive motions of the hands and wrist related to writing and typing at an electronic keyboard.
- Corporate / satellite office role.
Primary Location:Massachusetts-BOSTON-75 State Street - 06366 - State Street-Corp
Job Posting:Sep 24, 2019, 11:08:16 AM
AN EQUAL OPPORTUNITY EMPLOYER M/F/Vet/Disabled/SO